Cisco ISE in the lab.

My company is in the very early stages of an MDM BYOD project. As part of that we are looking at the Cisco Identity Service Engine (ISE) as a central piece. I am about half way through my testing and I thought that I would pass on some of what I have learned so far. I am far from being an ISE expert and I don’t mention profiling or the advanced features in this post. I have tried them but don’t feel knowledgeable enough to go into these details.

ISE is an excellent NAC system but it does much more than that. One of the advantages of trying to configure a new piece of technology yourself is that you learn much more and also other ways to increase the ROI. The main reason we are interested in ISE is as the enforcement point on our wireless network. When a device tries to connect to our BYOD network we want ISE to query the MDM server to verify if the device is registered and if not to redirect the device to the MDM provisioning portal. If the device is registered with MDM ISE will then query AD and verify the user credentials. This is a core function of ISE and went fairly well.

As a wireless engineer, I am very excited about the guest wireless features of ISE; this a huge value add for my company as we have thousands of guests a month and the WLC lobby admin feature is a bit tedious. ISE will allow anyone in the correct AD group to sponsor a guest or we can let the guest self-register. A downloadable access control list (dACL) can then be applied, limiting the guest’s access to internal resources. I personally like the sponsor option better for our environment.

Another feature I love and can see using in the future is once again using the dACL. We have handheld scanners in our environment and let’s say their security features are not robust. By putting the scanners username in an AD group we can call a dACL on our WLC and limit what the scanners can talk to. This again will be a value add and replace non centralized methods we have in use now. While these features have been available in the past from Cisco in other products, having them brought together in one fully integrated product will be a dream to administer and gives the fabled “single pane of glass” view into network access.

I am very hopeful about ISE from what I have tested so far and I am glad I decided to do it myself for the lab portion. I intend to engage a Partner for the pilot and deployment due to the scale. If you want to keep up on my lab testing you can take a look at my twitter feed @wfmaguire. Thanks for reading and please leave a comment below about your favorite ISE feature or if there is another one I should look at!

Good information. I am also working on an ISE deployment to achieve network edge security for devices that are of an either 'Owned', 'Trusted' or 'Untrusted' classification for about 350,000 end points. I think the product is very young but has potential.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.